FortiBleed campaign exposes administrator credentials on tens of thousands of firewalls globally

A credential compromise campaign named FortiBleed, identified by security researchers in mid-June 2026, has systematically extracted configuration files from internet-facing Fortinet FortiGate firewalls and cracked the stored password hashes within them. Arctic Wolf researchers estimate that between 30,000 and 75,000 devices across 194 countries now have verified, working administrator credentials in threat-actor hands. For healthcare organizations that depend on FortiGate appliances as a primary network perimeter control, the exposure is direct and immediate.

What the campaign does

Threat actors behind FortiBleed are not exploiting a single new vulnerability in the conventional sense. Instead, they are targeting configuration files that internet-facing FortiGate devices expose or have previously exposed through known weaknesses, then extracting the credential hashes those files contain and cracking them offline.

The result is a credential set that functions against the management interface of the affected device. An attacker holding working administrator credentials for a firewall can alter routing and access-control rules, create persistent backdoor accounts, intercept traffic, or disable logging — all without triggering the kind of alerts that exploitation attempts typically generate.

The geographic scope — 194 countries — reflects how widely FortiGate hardware is deployed across every sector, including hospitals, physician groups, and health system branch offices that purchased the appliances as a standard enterprise perimeter solution.

Why healthcare networks face elevated risk

Healthcare organizations present a specific combination of risk factors that makes this campaign particularly consequential. Many independent practices and smaller health systems purchased FortiGate appliances years ago and have not maintained consistent firmware patch cycles, which is precisely the condition that allowed configuration-file exposure in the first place.

Firewall administrator credentials are also not treated with the same urgency as EHR login credentials in most practice security programs. Privileged access management for network infrastructure — meaning the formal vaulting, rotation, and monitoring of credentials used to administer switches, firewalls, and VPN concentrators — is often absent in organizations below the large health system tier.

If an attacker gains administrator access to the firewall sitting in front of a practice's EHR server or claims processing system, HIPAA's technical safeguard requirements around access controls and audit controls become effectively unenforceable. The device meant to enforce those boundaries is under adversary control.

What administrators should check now

Organizations running FortiGate hardware should treat this campaign as an active incident until they can confirm otherwise. The immediate priority areas are:

Firmware version and patch status. Confirm that all FortiGate appliances are running current firmware and that any previously disclosed configuration-exposure vulnerabilities have been remediated. If patch status is uncertain, assume exposure.
Management interface accessibility. Verify that the administrative interface of every FortiGate device is not reachable from the public internet. Management access should be restricted to internal management VLANs or dedicated out-of-band networks.
Credential rotation. All administrator accounts on affected or potentially affected devices should have passwords changed immediately, regardless of whether compromise has been confirmed. Hashes cracked offline leave no trace on the device itself.
Log review. Examine firewall management logs for authentication events, configuration changes, and new account creation occurring outside normal change-management windows. Absence of suspicious logs is not exculpatory if logging was disabled or altered.
Third-party managed firewall agreements. Practices that outsourced firewall management to an IT managed services provider should request written confirmation that the provider has completed the above steps and documented the results.

What this signals about the next 12 months

FortiBleed follows a now-established pattern in which threat actors shift from opportunistic exploitation of fresh vulnerabilities to systematic harvesting of credentials from devices that were vulnerable months or years earlier. That pattern means the window between public disclosure of a firewall flaw and active credential use against healthcare targets has effectively collapsed.

The campaign also illustrates why network infrastructure credentials belong inside the same privileged-access discipline that healthcare organizations are increasingly applying to clinical systems. Regulatory guidance from HHS and NIST's healthcare-sector cybersecurity publications has consistently identified network device management as a gap area for smaller covered entities. FortiBleed demonstrates the practical cost of leaving that gap unaddressed.